# OpenDKIM
Installing Postfix and OpenDKIM to send signed emails.
These instructions are written for RHEL 9 / Almalinux 9
Commands are not prepended with sudo, I will assume you know when you need to use it.
# Install Packages
The OpenDKIM package is in the EPEL repo, so this needs to be installed first.
dnf install -y epel-release
As of RHEL9/AlmaLinux9 you will need the CRB repo for some dependencies
dnf config-manager --set-enabled crb
dnf install -y postfix opendkim opendkim-tools s-nail
# Setting Up Postfix
Ensure the following is set in /etc/postfix/main.cf
Replace <DOMAIN> with your domain that you're sending mail from.
inet_interfaces is set to localhost by default, we can change this to all if we're sending mail from other hosts or from within docker.
You can further restrict who can send mail by only having 127.0.0.0/8 for mynetworks
inet_interfaces = all
myhostname = <DOMAIN>
myorigin = $myhostname
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 [::ffff:127.0.0.0]/104 [::1]/128
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
Run postmap /etc/postfix/main.cf once you have finished editing the file.
Add postfix user to opendkim group
usermod -a -G opendkim postfix
# Setting Up OpenDKIM
# Create a key
Create the key folder:
mkdir -p /etc/opendkim/keys/<DOMAIN>
Generate a new key:
opendkim-genkey -b 1024 -d <DOMAIN> -D /etc/opendkim/keys/<DOMAIN> -s default
Set permissions:
chown opendkim:opendkim -R /etc/opendkim/keys
View your public key:
cat /etc/opendkim/keys/<DOMAIN>/default.txt
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEag2b9X0gl5M4u26Y70CcSCYnAdOFT6Q5iY07uIzd8sOkh7hgQvnx6zYvuhCwBtMS6S464uMdCc+M/I7ozGxUTF0mcvPeuvd2ieniGR2/+2vhoawvniofsAqrUTYLVYwb2uioTJp7ryJITN9+RaMds+o6qupqkJKfLC/+USC3QQIDAQAB" ) ; ----- DKIM key default for <DOMAIN>
# Create DNS Entry
Create a new TXT record with the name default._domainkey if this is at the top level of your domain e.g. example.com
If your domain is a subdomain such as mail.example.com then use default._domainkey.mail
From the example key above, the contents of this TXT record will be:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEag2b9X0gl5M4u26Y70CcSCYnAdOFT6Q5iY07uIzd8sOkh7hgQvnx6zYvuhCwBtMS6S464uMdCc+M/I7ozGxUTF0mcvPeuvd2ieniGR2/+2vhoawvniofsAqrUTYLVYwb2uioTJp7ryJITN9+RaMds+o6qupqkJKfLC/+USC3QQIDAQAB
Make sure that the quotes are removed, as well as excess spaces.
# OpenDKIM Configuration File
Note
If postfix runs chrooted, use Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock instead
Edit /etc/opendkim.conf and ensure the following are set:
UMask 002
Mode sv
Socket local:/var/run/opendkim/opendkim.sock
Domain <DOMAIN>
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
InternalHosts refile:/etc/opendkim/TrustedHosts
Edit /etc/opendkim/KeyTable and add:
default._domainkey.<DOMAIN> <DOMAIN>:default:/etc/opendkim/keys/<DOMAIN>/default.private
Edit /etc/opendkim/SigningTable and add:
*@<DOMAIN> default._domainkey.<DOMAIN>
Edit /etc/opendkim/TrustedHosts and add:
127.0.0.1
172.16.0.0/12
10.0.0.0/8
192.168.0.0/16
::1
127.0.0.1 is the default entry, you can leave it as is if you're only sending from the same machine.
You will need 172.16.0.0/12 if you're using docker containers.
# Create directories and set perms
Note
This step is only required if postfix runs chrooted to /var/pool/postfix
mkdir -p /var/spool/postfix/var/run/opendkim
chown opendkim:opendkim /var/spool/postfix/var/run/opendkim
# Start it all up
systemctl enable --now opendkim
systemctl enable --now postfix
# Test
Send an email to an address such as your gmail to check delivery:
echo "test mail" | mail -s "Test email" -r postfix@<DOMAIN> <MYACCOUNT>@gmail.com
If you open up the original mail in gmail, it should show DKIM: 'PASS'